CVE-2026-25733
📋 TL;DR
Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting vulnerability in the WebUI's Custom Rules function. This allows attackers to inject malicious JavaScript that executes when users view affected pages, potentially stealing session tokens or performing unauthorized actions. All Rucio WebUI users are affected.
💻 Affected Systems
- Rucio
📦 What is this software?
Rucio by Cern
Rucio by Cern
Rucio by Cern
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session tokens, gain full control of Rucio system, manipulate or delete scientific data, and compromise associated systems.
Likely Case
Attackers steal user session tokens to impersonate legitimate users, access sensitive data, or modify data management rules.
If Mitigated
Attack limited to specific user sessions with minimal privileges, no data loss or system compromise.
🎯 Exploit Status
Exploitation requires authenticated access to create malicious Custom Rules, but stored XSS payloads can then affect all users viewing those rules.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 35.8.3, 38.5.4, or 39.3.1
Vendor Advisory: https://github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q
Restart Required: Yes
Instructions:
1. Identify your Rucio version. 2. Upgrade to 35.8.3, 38.5.4, or 39.3.1 based on your release series. 3. Restart Rucio services. 4. Verify WebUI functionality.
🔧 Temporary Workarounds
Disable Custom Rules Function
allTemporarily disable the Custom Rules functionality in Rucio WebUI to prevent exploitation.
Modify Rucio WebUI configuration to remove Custom Rules access
Implement WAF Rules
allDeploy Web Application Firewall rules to block XSS payloads targeting the Custom Rules endpoint.
Configure WAF to filter malicious scripts in /rucio/custom_rules requests
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Restrict access to Rucio WebUI using network segmentation and authentication controls
🔍 How to Verify
Check if Vulnerable:
Check Rucio version via WebUI or API. If version is below 35.8.3, 38.5.4, or 39.3.1, system is vulnerable.Check Version:
rucio --version or check WebUI footerVerify Fix Applied:
After patching, verify version shows 35.8.3, 38.5.4, or 39.3.1. Test Custom Rules functionality with safe input.📡 Detection & Monitoring
Log Indicators:
- Unusual Custom Rules creation/modification patterns
- JavaScript payloads in WebUI request logs
- Multiple failed authentication attempts followed by Custom Rules access
Network Indicators:
- HTTP POST requests to /rucio/custom_rules containing script tags or JavaScript
- Unusual outbound connections from Rucio WebUI server
SIEM Query:
source="rucio_webui" AND (uri_path="/custom_rules" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:"))🔗 References
- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
- https://github.com/rucio/rucio/releases/tag/35.8.3
- https://github.com/rucio/rucio/releases/tag/38.5.4
- https://github.com/rucio/rucio/releases/tag/39.3.1
- https://github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q
- https://github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q
